tico wrote:
Ditto.
This has just caused me the same problems. Alex at Hurricane Electric
found this for me, and my ipv4 BGP sessions have *only* stabilized
after filtering out this prefix (4.4-RELEASE on i386).
I'll post up MRT dumps if anyone's interested.
-Tico
Peter Bristow wrote:
Hi All,
The AS at the company I work for running (OpenBSD 4.2 and 4.3) as
well as
the AS run by a associate of mine (OpenBSD 4.4) experienced rather wild
route flaps earlier today. Quoted from Andy Davidson's post to nanog.
"It seems that the prefix causing OpenBGPd speakers to die is
91.207.218.0/23, which is originated by a 4-byte ASN speaker.
OpenBGPd is checking AS4_PATH to ensure that it contains only AS_SET and
AS_SEQUENCE types, as per RFC4893. When processing the UPDATE for
91.207.218.0/23 it sees :
91.207.218.0/23
Path Attributes - Origin: Incomplete
Flags: 0x40 (Well-known, Transitive, Complete)
Origin: Incomplete (2)
AS_PATH: xx xx 35320 23456 (13 bytes)
AS4_PATH: (65044 65057) 196629 (7 bytes)
RFC4893 is clear on the matter :
"
To prevent the possible propagation of confederation path segments
outside of a confederation, the path segment types AS_CONFED_SEQUENCE
and AS_CONFED_SET [RFC3065] are declared invalid for the AS4_PATH
attribute.
"
OpenBGPd is therefore dropping the sessions when this update is
received.
Unideal if this attribute is learned on multiple upstreams...
The impact today is fairly limited as there are relatively few bgp
speakers
honouring the 4-byte ASN protocol extension rules, but as code that
support
these features creeps around the internet, the next time this happens
the
impact could be much greater, so we need to understand which
implementation
of which BGP software caused this illegal origination.
Modifying the OpenBGPd software to permit AS_CONFED_SEQUENCE,
AS_CONFED_SET
in an as4_path causes the path to be accepted and the session is not
torn
down. This isn't a great fix."
From looking at the source this would appear to be
'expected' behavior however it does leave you without any internet
connectivity. I'm not as much of a BGP guru as I should be but what
would be
the impact of dropping the route/update rather than dropping the
session?
Pete Bristow
Here's more information about my setup, just for completeness' sake:
dmesg:
OpenBSD 4.4 (GENERIC) #1021: Tue Aug 12 17:16:55 MDT 2008
[EMAIL PROTECTED]:/usr/src/sys/arch/i386/compile/GENERIC
cpu0: Intel(R) Pentium(R) 4 CPU 2.80GHz ("GenuineIntel" 686-class) 2.80 GHz
cpu0:
FPU,V86,DE,PSE,TSC,MSR,PAE,MCE,CX8,APIC,SEP,MTRR,PGE,MCA,CMOV,PAT,PSE36,CFLUSH,DS,ACPI,MMX,FXSR,SSE,SSE2,SS,HTT,TM,SBF,CNXT-ID,xTPR
real mem = 1072132096 (1022MB)
avail mem = 1028272128 (980MB)
mainbus0 at root
bios0 at mainbus0: AT/286+ BIOS, date 08/16/06, BIOS32 rev. 0 @ 0xfb6d0,
SMBIOS rev. 2.3 @ 0xf0800 (41 entries)
bios0: vendor Phoenix Technologies, LTD version "6.00 PG" date 08/16/2006
bios0: Supermicro P4SC8
apm0 at bios0: Power Management spec V1.2 (slowidle)
apm0: AC on, battery charge unknown
acpi at bios0 function 0x0 not configured
pcibios0 at bios0: rev 2.1 @ 0xf0000/0xdf64
pcibios0: PCI IRQ Routing Table rev 1.0 @ 0xfde80/224 (12 entries)
pcibios0: PCI Exclusive IRQs: 5 9 10 11 12
pcibios0: PCI Interrupt Router at 000:31:0 ("Intel 6300ESB LPC" rev 0x00)
pcibios0: PCI bus #3 is the last bus
bios0: ROM list: 0xc0000/0x8000
cpu0 at mainbus0
pci0 at mainbus0 bus 0: configuration mode 1 (no bios)
pchb0 at pci0 dev 0 function 0 "Intel 82875P Host" rev 0x02
ppb0 at pci0 dev 3 function 0 "Intel 82875P CSA" rev 0x02
pci1 at ppb0 bus 1
em0 at pci1 dev 1 function 0 "Intel PRO/1000CT (82547GI)" rev 0x00: irq
11, address 00:30:48:8a:26:8e
ppb1 at pci0 dev 28 function 0 "Intel 6300ESB PCIX" rev 0x02
pci2 at ppb1 bus 2
uhci0 at pci0 dev 29 function 0 "Intel 6300ESB USB" rev 0x02: irq 12
uhci1 at pci0 dev 29 function 1 "Intel 6300ESB USB" rev 0x02: irq 10
"Intel 6300ESB WDT" rev 0x02 at pci0 dev 29 function 4 not configured
"Intel 6300ESB APIC" rev 0x02 at pci0 dev 29 function 5 not configured
ehci0 at pci0 dev 29 function 7 "Intel 6300ESB USB" rev 0x02: irq 5
usb0 at ehci0: USB revision 2.0
uhub0 at usb0 "Intel EHCI root hub" rev 2.00/1.00 addr 1
ppb2 at pci0 dev 30 function 0 "Intel 82801BA Hub-to-PCI" rev 0x0a
pci3 at ppb2 bus 3
vga1 at pci3 dev 9 function 0 "ATI Rage XL" rev 0x27
wsdisplay0 at vga1 mux 1: console (80x25, vt100 emulation)
wsdisplay0: screen 1-5 added (80x25, vt100 emulation)
drm at vga1 unsupported
em1 at pci3 dev 10 function 0 "Intel PRO/1000MT (82541GI)" rev 0x00: irq
10, address 00:30:48:8a:26:8f
ichpcib0 at pci0 dev 31 function 0 "Intel 6300ESB LPC" rev 0x02: 24-bit
timer at 3579545Hz
pciide0 at pci0 dev 31 function 1 "Intel 6300ESB IDE" rev 0x02: DMA,
channel 0 configured to compatibility, channel 1 configured to compatibility
wd0 at pciide0 channel 0 drive 0: <WDC WD2500JB-57REA0>
wd0: 16-sector PIO, LBA48, 238475MB, 488397168 sectors
wd0(pciide0:0:0): using PIO mode 4, Ultra-DMA mode 5
pciide0: channel 1 disabled (no drives)
ichiic0 at pci0 dev 31 function 3 "Intel 6300ESB SMBus" rev 0x02: irq 9
iic0 at ichiic0
lm1 at iic0 addr 0x2d: W83627HF
spdmem0 at iic0 addr 0x50: 512MB DDR SDRAM non-parity PC3200CL3.0
spdmem1 at iic0 addr 0x52: 512MB DDR SDRAM non-parity PC3200CL3.0
usb1 at uhci0: USB revision 1.0
uhub1 at usb1 "Intel UHCI root hub" rev 1.00/1.00 addr 1
usb2 at uhci1: USB revision 1.0
uhub2 at usb2 "Intel UHCI root hub" rev 1.00/1.00 addr 1
isa0 at ichpcib0
isadma0 at isa0
com0 at isa0 port 0x3f8/8 irq 4: ns16550a, 16 byte fifo
com1 at isa0 port 0x2f8/8 irq 3: ns16550a, 16 byte fifo
pckbc0 at isa0 port 0x60/5
pckbd0 at pckbc0 (kbd slot)
pckbc0: using irq 1 for kbd slot
wskbd0 at pckbd0: console keyboard, using wsdisplay0
pcppi0 at isa0 port 0x61
midi0 at pcppi0: <PC speaker>
spkr0 at pcppi0
lpt0 at isa0 port 0x378/4 irq 7
wbsio0 at isa0 port 0x2e/2: W83627HF rev 0x41
lm2 at wbsio0 port 0x290/8: W83627HF
lm1 detached
npx0 at isa0 port 0xf0/16: reported by CPUID; using exception 16
fdc0 at isa0 port 0x3f0/6 irq 6 drq 2
biomask f765 netmask ff65 ttymask ffff
mtrr: Pentium Pro MTRR support
softraid0 at root
root on wd0a swap on wd0b dump on wd0b
umass0 at uhub0 port 2 configuration 1 interface 0 "BUFFALO INC. BUFFALO
INC. USB-SATA Bridge" rev 2.00/0.00 addr 2
umass0: using SCSI over Bulk-Only
scsibus0 at umass0: 2 targets, initiator 0
sd0 at scsibus0 targ 1 lun 0: <ST310003, 40AS, SD15> SCSI2 0/direct fixed
sd0: 953869MB, 121601 cyl, 255 head, 63 sec, 512 bytes/sec, 1953525168
sec total
censored bgpd.conf :
HE_edge0="64.62.180.89"
HE_edge0v6="2001:470:1:53:0000:0000:0000:1"
AS 30708
router-id 208.86.95.250
fib-update yes
#dump updates in "/tmp/all-in-%H%M" 300
#log updates
network 208.86.92.0/22
#network 2607:f618::/32
network 2607:F618:0000:0000:0000:0000:0000:0000/32
# neighbors and peers
group "peering Hurricane" {
remote-as 6939
neighbor $HE_edge0 {
descr "Hurricane_rtr0_v4"
announce IPv4 unicast
announce IPv6 none
announce self
#tcp md5sig password XXXXX
}
neighbor $HE_edge0v6 {
descr "Hurricane_rtr0_v6"
#announce capabilities no
announce IPv6 unicast
announce IPv4 none
announce self
}
}
# filter out prefixes longer than 24 or shorter than 8 bits
deny from any
allow from any inet prefixlen 8 - 24
allow from any inet6 prefixlen 12 - 48
# do not accept a default route
deny from any inet prefix 0.0.0.0/0 prefixlen = 0
#deny from any prefix 0.0.0.0/0
# filter bogus networks
deny from any inet prefix 10.0.0.0/8 prefixlen >= 8
deny from any inet prefix 172.16.0.0/12 prefixlen >= 12
deny from any inet prefix 192.168.0.0/16 prefixlen >= 16
deny from any inet prefix 169.254.0.0/16 prefixlen >= 16
#allow from any inet6 prefixlen 8 - 128
# blacklist
deny from any inet prefix 91.207.218.0/23 prefixlen = 23
--------------------------
This is what showed up in my /var/log/daemon right before the v4 session
would die:
Dec 10 20:10:52 earth bgpd[16706]: neighbor 64.62.180.89
(Hurricane_rtr0_v4) AS6
939: update 58.25.192.0/18 via 64.62.180.89
Dec 10 20:10:52 earth bgpd[16706]: neighbor 64.62.180.89
(Hurricane_rtr0_v4) AS6
939: update 121.77.0.0/18 via 64.62.180.89
Dec 10 20:10:52 earth bgpd[2494]: neighbor 64.62.180.89
(Hurricane_rtr0_v4): sta
te change Established -> Idle, reason: Fatal error
or
Dec 10 19:36:29 earth bgpd[16706]: neighbor 64.62.180.89
(Hurricane_rtr0_v4) AS6
939: update 213.227.230.0/23 via 64.62.180.89
Dec 10 19:36:29 earth bgpd[16706]: neighbor 64.62.180.89
(Hurricane_rtr0_v4) AS6
939: update 213.227.232.0/21 via 64.62.180.89
Dec 10 19:36:29 earth bgpd[2494]: neighbor 64.62.180.89
(Hurricane_rtr0_v4): sta
te change Established -> Idle, reason: Fatal error
Dec 10 19:36:40 earth bgpd[2494]: neighbor 64.62.180.89
(Hurricane_rtr0_v4): sta
te change Idle -> Active, reason: Start
A snippet from bgpctl sho nei :
BGP neighbor is 64.62.180.89, remote AS 6939
Description: Hurricane_rtr0_v4
BGP version 4, remote router-id 216.218.252.162
BGP state = Idle, down for 00:00:04
Last read 00:00:04, holdtime 240s, keepalive interval 80s
Message statistics:
Sent Received
Opens 1178 1178
Notifications 1178 0
Updates 1178 33280889
Keepalives 42201 1210
Route Refresh 0 0
Total 45735 33283277
Update statistics:
Sent Received
Updates 0 0
Withdraws 0 0
Last error: AS-Path unacceptable
----------------
I have MRT dumps from bgpd while I was trying to troubleshoot this
available online. Beware. They're large:
http://earth.raapid.net/extra/
Regards,
Tico
